Comments (13)
Hi @dsielert ! Thank you for reporting the issue. Would you mind sharing the logs of the harbor-scanner-trivy pod? The logs viewer accessible from Harbor UI does not always allow us to see what's the root cause of an error.
To get even more insights, you can set the following Helm values:
helm install your-adapter ./helm/harbor-scanner-trivy \
--set "scanner.logLevel=trace" \
--set "scanner.trivy.debugMode=true"
from harbor-scanner-trivy.
2020-04-09T19:50:42Z [INFO] [/pkg/scan/job.go:276]: registration:
2020-04-09T19:50:42Z [INFO] [/pkg/scan/job.go:287]: {
"uuid": "348a8354-7a20-11ea-ad51-7aa0e75b9f43",
"name": "Trivy",
"description": "The Trivy scanner adapter",
"url": "http://harbor-harbor-trivy:8080",
"disabled": false,
"is_default": false,
"health": "healthy",
"auth": "",
"skip_certVerify": false,
"use_internal_addr": true,
"adapter": "Trivy",
"vendor": "Aqua Security",
"version": "0.5.3",
"create_time": "2020-04-09T05:08:52.72567Z",
"update_time": "2020-04-09T05:08:52.725672Z"
}
2020-04-09T19:50:42Z [INFO] [/pkg/scan/job.go:276]: scanRequest:
2020-04-09T19:50:42Z [INFO] [/pkg/scan/job.go:287]: {
"registry": {
"url": "http://harbor-harbor-core",
"authorization": "[HIDDEN]"
},
"artifact": {
"namespace_id": 2,
"repository": "devops/harbor-scanner-trivy",
"tag": "",
"digest": "sha256:999233e05de230e101596122206fe01c5cbdb35aab3509a77d1c319380c89689",
"mime_type": "application/vnd.docker.distribution.manifest.v2+json"
}
}
2020-04-09T19:50:42Z [INFO] [/pkg/scan/job.go:126]: Report mime types: [application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0]
2020-04-09T19:50:42Z [INFO] [/pkg/scan/job.go:153]: Get report for mime type: application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0
2020-04-09T19:50:44Z [ERROR] [/pkg/scan/job.go:235]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2020-04-09T19:50:42.244Z �[35mDEBUG�[0m Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2020-04-09T19:50:42.247Z �[35mDEBUG�[0m cache dir: /home/scanner/.cache/trivy
2020-04-09T19:50:42.247Z �[34mINFO�[0m Use your github token
2020-04-09T19:50:42.249Z �[34mINFO�[0m Need to update DB
2020-04-09T19:50:42.249Z �[34mINFO�[0m Downloading DB...
2020-04-09T19:50:42.682Z �[35mDEBUG�[0m release name: v1-2020040912
2020-04-09T19:50:42.682Z �[35mDEBUG�[0m asset name: trivy-light.db.gz
2020-04-09T19:50:42.682Z �[35mDEBUG�[0m file name doesn't match
2020-04-09T19:50:42.682Z �[35mDEBUG�[0m asset name: trivy.db.gz
2020-04-09T19:50:42.767Z �[35mDEBUG�[0m asset URL: https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/d789d080-7a5a-11ea-95fe-45eb4da166d5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200409%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200409T195042Z&X-Amz-Expires=300&X-Amz-Signature=6f5eaec91f26c53ffbec2331d6592f6f721b7592443edb9ce408d6689be3b1e2&X-Amz-SignedHeaders=host&actor_id=46495289&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
2020-04-09T19:50:43.894Z �[34mINFO�[0m Reopening DB...
2020-04-09T19:50:43.895Z �[35mDEBUG�[0m DB Schema: 1, Type: 1, UpdatedAt: 2020-04-09 12:06:40.503282174 +0000 UTC, NextUpdate: 2020-04-10 00:06:40.503281674 +0000 UTC
2020-04-09T19:50:43.935Z �[31mFATAL�[0m unable to initialize the docker scanner:
github.com/aquasecurity/trivy/internal/standalone.run
/home/circleci/project/internal/standalone/run.go:86
- unable to initialize a image struct:
github.com/aquasecurity/fanal/extractor/docker.newDockerExtractor
/go/pkg/mod/github.com/aquasecurity/[email protected]/extractor/docker/docker.go:76
- failed to initialize source:
github.com/aquasecurity/fanal/extractor/image.NewImage
/go/pkg/mod/github.com/aquasecurity/[email protected]/extractor/image/image.go:86
- unable to retrieve auth token: invalid username/password: unauthorized: incorrect username or password
: general response handler: unexpected status code: 500, expected: 200
from harbor-scanner-trivy.
Hey @dsielert thanks for sending the logs with more verbose output. However, I think the most useful is the log of the Trivy adapter pod, i.e. kubectl -n harbor logs harbor-scanner-trivy-0
. Do you happen to have access to such log?
Also could you specify:
- Exact version of your Harbor installation
- Exact version of the Trivy adapter
- Which docker image are you trying to scan or at least which linux distro is it based on? The best would be if you could share a minimal Dockerfile so I can reproduce the bug in my env
- How did you get this image to Harbor? With docker pull or through Harbor replication?
Thanks in advance for provided such details!
from harbor-scanner-trivy.
Closing as stale. If this problem still exists please reopen the issue and provide requested details.
from harbor-scanner-trivy.
Did someone solve it?
from harbor-scanner-trivy.
We cannot solve it without additional details requested here Is that something you can reproduce @itsecforu ?
from harbor-scanner-trivy.
-
Harbor Version v2.1.1-5f52168e
-
Scanner:
Name:Trivy
Vendor:Aqua Security
Version:v0.9.2
Capabilities
Consumes Mime Types:[application/vnd.oci.image.manifest.v1+json , application/vnd.docker.distribution.manifest.v2+json]
Produces Mime Types:[application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0]
Properties
com.github.aquasecurity.trivy.debugMode:false
com.github.aquasecurity.trivy.ignoreUnfixed:false
com.github.aquasecurity.trivy.insecure:false
com.github.aquasecurity.trivy.severity:UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
com.github.aquasecurity.trivy.skipUpdate:false
com.github.aquasecurity.trivy.vulnType:os,library
harbor.scanner-adapter/scanner-type:os-package-vulnerability
harbor.scanner-adapter/vulnerability-database-next-update-at:2/12/21, 3:33 PM
harbor.scanner-adapter/vulnerability-database-updated-at:2/12/21, 3:33 AM
org.label-schema.build-date:2020-08-20T12:02:30Z
org.label-schema.vcs:https://github.com/aquasecurity/harbor-scanner-trivy
org.label-schema.vcs-ref:680126a6c64ae1a34e8456915b45e35b14584be5
org.label-schema.version:0.14.1 -
FROM docker/alpine:3.13.1
LABEL VERSION=0.0.1
RUN ["ls"]
-
docker tag , docker pull
-
And my logfile:
2021-02-12T07:13:14Z [INFO] [/pkg/scan/job.go:325]: registration:
2021-02-12T07:13:14Z [INFO] [/pkg/scan/job.go:336]: {
"uuid": "9393e228-2285-11eb-8887-baba743666dd",
"name": "Trivy",
"description": "The Trivy scanner adapter",
"url": "http://harbor-harbor-trivy:8080",
"disabled": false,
"is_default": false,
"health": "healthy",
"auth": "",
"skip_certVerify": false,
"use_internal_addr": true,
"adapter": "Trivy",
"vendor": "Aqua Security",
"version": "v0.9.2",
"create_time": "2020-11-09T12:17:46.686957Z",
"update_time": "2020-11-09T12:17:46.686958Z"
}
2021-02-12T07:13:14Z [INFO] [/pkg/scan/job.go:325]: scanRequest:
2021-02-12T07:13:14Z [INFO] [/pkg/scan/job.go:336]: {
"registry": {
"url": "http://harbor-harbor-core:80",
"authorization": "[HIDDEN]"
},
"artifact": {
"namespace_id": 6,
"repository": "pipeline/test_image2",
"tag": "",
"digest": "sha256:6a891b01aebfb3a41246bd98bceaff768809d3b4149e72055152da29d239e67e",
"mime_type": "application/vnd.docker.distribution.manifest.v2+json"
}
}
2021-02-12T07:13:14Z [INFO] [/pkg/scan/job.go:156]: Report mime types: [application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0]
2021-02-12T07:13:14Z [INFO] [/pkg/scan/job.go:202]: Get report for mime type: application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0
2021-02-12T07:13:16Z [INFO] [/pkg/scan/job.go:219]: Report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0 is not ready yet, retry after 5 seconds
2021-02-12T07:13:21Z [ERROR] [/pkg/scan/job.go:284]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2021-02-12T07:13:19.164Z �[31mFATAL�[0m error in image scan: failed analysis: analyze error: failed to analyze layer: sha256:1119ff37d4a9531330e3b8487863ee8ae0308337351be9d5f8bb38f80790acd9 : unable to get uncompressed layer sha256:1119ff37d4a9531330e3b8487863ee8ae0308337351be9d5f8bb38f80790acd9: failed to get the layer content (sha256:1119ff37d4a9531330e3b8487863ee8ae0308337351be9d5f8bb38f80790acd9): unexpected EOF
: general response handler: unexpected status code: 500, expected: 200
from harbor-scanner-trivy.
Every scan triggered by Harbor that's failing will end up with status code: 500 displayed in Harbor Portal under scan job logs. Therefore we have to be more precise when we create issues and describe errors. The title 500 Error is really meaningless.
Anyway, there're two different issues reported here by @dsielert and @itsecforu respectively:
- unable to retrieve auth token: invalid username/password: unauthorized: incorrect username or password
- error in image scan: failed analysis: analyze error: failed to analyze layer:
sha256:1119ff37d4a9531330e3b8487863ee8ae0308337351be9d5f8bb38f80790acd9 : unable to get uncompressed layer sha256:1119ff37d4a9531330e3b8487863ee8ae0308337351be9d5f8bb38f80790acd9
Re 1. we did not get any additional details to troubleshoot, hence I decided to closed this issue.
Re 2. I'm trying to reproduce this error in my env, but I cannot build the pipeline/test_image2
image according to the provided instructions:
$ cat << EOF > Dockerfile
FROM docker/alpine:3.13.1
LABEL VERSION=0.0.1
RUN ["ls"]
EOF
$ docker build -t pipeline/test_image2 .
Step 1/3 : FROM docker/alpine:3.13.1
pull access denied for docker/alpine, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
@itsecforu Where did you get the docker/alpine:3.13.1
image from? Is it publicly available or did you mean alpine:3.13.1
?
from harbor-scanner-trivy.
Yes its public image!
pipeline/ - means local registry
from harbor-scanner-trivy.
Is it only this alpine:3.13.1 -based image causing the error? Or any other image in your registry? I could not reproduce the same in my env. Did you try rescanning to see if that was not a temporary network failure where Trivy could not download image layers?
from harbor-scanner-trivy.
istio/examples-helloworld-v1 scanned ok!
rescan alpine return the same error
from harbor-scanner-trivy.
docker pull docker.io/library/alpine:3.13.1
docker tag
docker push
i get weird status "unsupported":
from harbor-scanner-trivy.
You may want to check in Harbor official channel as I don't think it's related to Trivy. I just did the same e2e test and it looks okey in my setup:
from harbor-scanner-trivy.
Related Issues (20)
- Scan report is missing the binary related to vulnerability HOT 1
- the length of usernames and passwords must match with 2.8.2 HOT 8
- About vulnerabilities [email protected] on image docker
- mkdir /home/scanner/.cache/trivy/fanal: permission denied HOT 1
- ERROR: column t0.critical_cnt does not exist HOT 1
- It does not work when scan java program HOT 1
- Trivy status goes unhealthy during the scan
- how to skip java db update when scanning start
- Allow image layer cache (fanal.db) to be stored in Redis HOT 1
- Trivy scan results are not up to date HOT 1
- Trivy redis connection support redis TLS mode HOT 3
- the helm repo has a bogus release with version 0.31.0 HOT 5
- Allow disable metrics api
- Add private repo environment variable
- /api/v1/scan API should return 400 to the client when the enabled_capabilities.produces_mime_types not specified HOT 1
- /api/v1/scan/{scan_request_id}/report should send http 400 when the sbom_media_type is missed for sbom scan HOT 1
- trivy should skip to generate sbom for container images that have layers[0].mediaType being not valid HOT 2
- Trivy use a lot space in /var/lib/docker/overlay and grow faster HOT 1
- Specify `--image-src remote`
- Harbor failed to connect on trivy-adapter api since v0.31.0
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from harbor-scanner-trivy.